iptables can protect syn-flooding?
Wed, 6 Nov 2002 17:17:46 +0000
On Wednesday 06 November 2002 3:06 pm, Jon Anderson wrote:
> Can't guarantee that I'm right about the following, or that it's even
> relevant, but based on my experience, the following might help...
> SB CH (email@example.com) wrote:
> > I saw that we can protect syn-flooding using iptables like this.
> > $IPTABLES -N syn-flood
> > $IPTABLES -A INPUT -p tcp --syn -j syn-flood
> > $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> > $IPTABLES -A syn-flood -j DROP
> Of course one could achieve the same thing by using only two rules:
> iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j
> iptables -A INPUT -p tcp --syn -j DROP
Not really - the shorter version forces all SYN packets below the limit to be
ACCEPTed, whereas the longer version allows for later rules in the INPUT
chain to decide whether they ought to be accepted or not, based on the usual
things like source/destination address/port etc.
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.